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Providing adequate tools to tackle the problem of inconsistent compliance rules is a critical research 
topic. This problem is of paramount importance to achieve automatic support for early declarative 
design and to support evolution of rules in contract-based or service-based systems. In this paper we 
investigate the problem of extracting temporal unsatisfiable cores in order to detect the inconsistent 
part of a specification. We extend conflict-driven SAT-solver to provide a new conflict-driven depth- 
first-search solver for temporal logic. We use this solver to compute LTL unsatisfiable cores without 
re-exploring the history of the solver. 

1 Introduction 

Providing adequate tools to tackle the problem of inconsistent compliance rules is a critical research 
topic. However, few tools fully analyze conflicts over underpinning logics of a natural language (eg. 
temporal logic, deontic logic...). Such early and declarative specifications can be critical for specifying 
policies and requirements in agile and distributed environments. Thus, formal languages for compliance 
requirements and their analysis have become critical in many computer science domains (eg business 
process management, service oriented computing, e-commerce). An ongoing research topic is the anal- 
ysis of a conflicting set of temporal logic compliance rules. For instance. Table l.a gives a toy set of 
compliance rules. It will be used as a running example in the paper. All those rules except the last one 
originate from an ongoing supply contract. Let us assume that the last one (r3.c) originates from another 
internal requirement from a supplier. It comes out that this new requirement entails a conflict with rules 
(r3.a) and rules (r3.b) shown on Table l.b. This example shows the importance of automatic detection 
of conflicting subsets of compliance rules. This problem is critical for debugging declarative specifica- 
tions fTS^, Tl], handling conflicting contracts [10], or tackling unrealizable service compositions [20]. 
There exist several formalisms to deal with time such as LTL, MSO [9], TLTL , MTL [JJ. These logics 
underpine many of modem compliance languages and their associated theories and tools are used to ad- 
dress problems related to verification |[T5l 1261 1711. service composition 1201 . graphical design of property 
patterns EH [Hi. 

We investigate the problem of efficiently extracting temporal logic unsatisfiable cores for debugging 
compliance rules. Intuitively, an unsatisfiable core is a conflicting subset of rules. We restrict ourselves 
to LTL for which many results and efficient model checking methods exist. However, the problem of 
efficiently detecting a small LTL unsatisfiable core is still open 1*231 f6l- Conflict driven methods exist 
for SAT-solver algorithms. They provide quite efficient extraction of conflicting rules written in proposi- 
tional logic ll28ll . SAT-solvers have been extended (e.g., Unbounded Model Checking (UMC) SAT-solvers 
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FP7/2007-2013 under grant agreement 215483 (S-Cube). 



E. Pimentel, V. Valero (Eds.): Workshop on Formal Languages 
and Analysis of Contract-Oriented Software 2011 (FLACOS' 1 1) 
EPTCS 68, 2011, PP- 39-I53I doi: 10.4204/EPTCS.68.5 



40 



Handling Conflicts in DFS for LTL tableau 



13) to deal with the more expressive LTL. For the case of satisfiabilitjQ it consists in searching a lasso- 
shaped model of length ^ < 2^(1^" and in reducing to boolean SAT problems for increasing k G [0,2^(1^"]. 
One of critical (and basic) points of current boolean SAT-solvers is their ability of pruning 'bad' search 
space. It is based on a smart use of boolean propagation. Analyzing the propagation enables to han- 
dle conflict while backtracking and enables to avoid revisiting immediately the same conflict. Learning 
conflict using conflict clause also avoids revisiting the conflict later. This conflict-driven approach leads 
easily to the extraction of a core. [6| proposes to extract unsatisfiable cores from the UMC method of 
ifTTll . The authors propose also a 'Sat Modulo Theory' like framework applied with symbolic global 
model checking 111, but the conflict handling is not introduced inside the symbolic global model check- 
ing. ll23l analyzes a very expandec^^ tableau of fT45 to define unsatisfiable core but again no analysis of 
conflict is performed. Thus, on the contrary to boolean SAT-solver and extended UMC, neither global 
model checking, nor On-The-Fly techniques handle conflict. Moreover, in the nineties, resolution |[T2l 
for temporal logic has been proposed to tackle unfair SCC as minimal 'temporal conflict' but to the best 
of our knowledge current boolean SAT-Solvers(e.g.. |[T7l . l|T3ll . ll24l . |[T8l ) have not investigated this idea 
yet, mainly because they are Breadth-First-Search. But, a drawback of resolution is that any conflict is 
recorded using resolvent, this entails a too large use of memory space in contrast to On-The-Fly tableau, 
symbolic model checking and UMC. In this paper, we propose a new conflict-driven depth-first-search 
solver inspired by SAT-based ones, DFS for tableau and resolution for temporal logic. Furthermore, we 
show how it is possible to extract a small unsatisfiable core. 

Overview of the paper Section 2 introduces Background. Section 3 describes sound technical details 
of section 4. Section 4 shows the Solver. Section 5 is devoted to the correctness, completeness,extraction 
of unsatisfiable cores. We conclude in Section 6. 

2 Background 

Definition 1 (Syntax of LTL) 

Let f be a non empty finite set of propositional variables, and p G P. A and B two LTL formulas. A 
temporal logic formula is inductively built by means of the following rules: 

TRUE |FALSE \p \A AB |A VB hA|X(A) 
AUB \AWB 

Furthermore, G{A) = {A)W{FALSE) and F{A) = {TRUE)U{A). 

Definition 2 (Semantic Jll) A linear time structure is an element ^ in (2^)^ . V/ G N,V^ € (2^)^: 

- i) ^ p with p^Piif p^JiC (/) 

- if A is a propositional combination of LTL formulas /) t= A is defined as usual. 

- (^,/)^X(A)iff (^,/+l)NA 

- /) ^ AUB iff 3 j > /, i) hBand\/k,i<k<j, k)^A 

- i) ^ AWB iff Vj > /, j) h A or ( 3 j > /, j) h B and \fk, i<k< j, k) 1= A) 

'No model to check against a LTL formula 
^The expansion disregards boolean conflict 
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Table 1 : LTL-translations of the running example 



Intuitively, the formula X (A) stands for 'at the next time A will hold', AUB stands for 'B will hold in 
the future and from current time until B holds, A must hold', AlVB stands for 'if B holds in the future then 
from current time until B holds, A must hold, and if B will never hold, then A must hold forever(weak 
until)'. G{A) stands for 'at any time A holds' and F{A) stands for 'A will hold in the future'. For instance 

means that / cannot occur as long as p has not occurred. 
In the rest of the paper we will assume w.l.g that any LTL formula solely may contain symbol applied 
to propositional variable(s). We call such formula Negative Normal Form (NNF). 

Definition 3 (LTL SAT problem) A LTL formula <p is satisfiable iff there exists a linear model M such 
that (M,0) \= (p. Conversely, a LTL formula is unsatisfiable iff there is no linear model M such that 
(M,O)^0. 

Definition 4 (unsatisfiable core) An unsatisfiable core of an unsatisfiable formula (/) is a formula <p' 
such that (1) <p' is the result of some substitution(s) in ^ of some positive subformula(s) by TRUE, (2) 
has no subformula of the form AU /W (TRUE), {TRUE)WB, AV (TRUE), AiTrue or:X{TRUE) and (3) 
^' still remains unsatisfiable. Table l.b shows a small unsatisfiable core of our toy example formula. It 
is critical to find a small (or ideally a minima|^(MU)) unsatisfiable core in order to detect the cause of a 
conflict. 

Tlieorem 1 (LTL minimal unsatisfiable core decision problem) 
Deciding if a LTL formula is a minimal unsatisfiable core is in P-SPACE 

( sketch of the proof) : For each positive subformula off, substitute by TRU E and check unsatisfiability. 
f is a MU iff any substitution leads to a satisfiable formula. There is a linear number of subformulas, 
and each checking is in P — SPACE. 

We furthermore conjecture that the above problem is P-SPACE complete. 

||23l discusses the notion of granularity of core. A coarse unsatisfiable core of a formula / : /i A/2... A/„ 
only substitutes TRUE at the fj and not in a deeper subformula. Structure preserving translations of 
the LTL formula / into definitional conjunctive normal form provide an equi-satisfiable formula /' : 
f[f\f^... A/4. The minimal coarse unsatisfiable cores of /' correspond to the minimal unsatisfiable 
cores of / (see Il23l for details). For instance if / : G{a A -^b) f\F{b), an equi-satisfiable formula may 
be /' : G{xa^^h) A G{xaA^b ^ a) A G{xaA^b ^b) AF{b). A coarse MU of /' is G{xaA^b) A TRUE A 
G{xaA^h -^b) AF{b). It provides a /-MU : G{TRUE A -^b) AF{b). W.l.g 1231, the solver will focus 



An unsatisfiable core ^ is minimal iff is its only one unsatisfiable core 
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on finding small coarse unsatisfiable core. 

Definition 5 (Closure) Let / a LTL formula. We note the set of closure variables of / -Cl{f)- as the 
smallest set Set such that : 

- f(^Set 

- If Y = Yi A .. AYs & Set and is not a conjunction, V7 G Set 

- U \j/ = ..V Yr ^ Set and Yj is not a disjunction, V7 Yj ^ Set 

- IfY = F/G{y') G Set, y' e Set and XF/G{y') e Set 
-\fY= Y'U /Wy" G Set , y" and AX(i//) are in Set 

- lfY = X{y') e Set then v^' G Set 

Furthermore the number of closure variables of Cl{f) is linear in the size of / ifTTI . 

A traditional mathematical tool to analyze satisfiability is tableau. It is a particular automata of 
states, whose any state is a subset of Cl{f). Intuitively, a state is built from a prestate. A prestate is either 
the starting state containing only the starting formula / either a state containing only closure formulas 
derived from a precedent state. The derivation of a formula Xh at a state is h at the next prestate. The 
prestates are intermediary results to build the tableau and do not occur in the tableau except the first one. 
On Figure 1, the rounded rectangle is a prestate, the others are states. A state is computed by unwinding 
the formulas and making a choice for the disjunctive ones. For instance, the occurrence of G{-^i) implies 
the occurrence of and XG{-^i). In Figure 1, at the goal state of transition 1, the p is chosen from the 
disjunction p\/ {-li AX{-iiW p)) unwouncj^from -liWp. 

Definition 6 (state, prestate, /-tableau) The /-tableau is a special finite state automata {St,so,R) with 
St the set of states, so the initial state and R C ST^ the set of transitions. The /-tableau is the 'minimal' 
automata A such that: 

- Any state of A is a subset of Cl{f). 

- So is a prestate with sq = U,{/} where / = A,/. 

- Let a set S derived from a prestate PS st. PS C S C Cl{f) and 3p a total choice function from 
5n {disjunctionU Future Li Until UWUntil) to S. Furthermore, if S is the smallest set Set such 
that 

- PS<^ Set 

- If = i/Ai A .. A i/^v and Yj is not a conjunction, Vj Yj ^ Set 

- If Y = Yi"^ ■■'^ Vr and Yj is not a disjunction, p{y) = Yj ^ Set for some j 

- If Y = F{y'), piY) ^ W'-,XF{Y')}nSet 
-lfY = G{y'), Y' e Set and XG{y') G Set 

- \fY=Y'U/WY",p{Y) G {<;v/'AX(vA)}n5£'f, 

then S is a state of A. 

- Let a set PS' containing only all formulas derived from a precedent state S such that f S = { , sf .X G 
S}. Then, PS is a prestate of A. 

- Transitions /? of a /-tableau stand for the collapsing of S\ ^ PS ^ S2 derivation sequences, i.e., 
collapsed transitions of the form — )• 52. 
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Figure 1: Depth-first-search 



Theorem 2 ( lfT9l .lfT4l) A LTL formula / is satisfied iff there exists a path of states in the /-tableau 
(finite with no successor at the last state or infinite) starting from the starting prestate and such that any 
occurrence of Future and Until modal operator in a state of the path fulfills its corresponding promise 
operand later (in the future) in the path. We call the path : fair path. 

In Figure 1 , / is a simpler version of our toy example, and there is only unsatisfiable paths (infinite 
in this case) since each possible path contains a Future F{i) but does not realize the promise operand /. 
An argument is that any infinite path will reach in the future a Strongly Connected Component (SCC) 
where the path will remain in forever. Then / is unsatisfiable. On-the-fly techniques for satisfiability of 
temporal logic (eg. |[T4l . (191 ) use nested deep-first-search of fair loop or simple deep first search of fair 
SCC. 

Theorem 3 ( ll25]| .|[T9l) There exists a depth-first-search algorithm for computing SCCs of a /-tableau, 
and for deciding their fairness. 

In Figure 1, the exploration steps of simple depth-first- search follow the numbered labels on the 
transitions. An example of a SCC is the set of states as a support for the set of transitions {3;4;5;6}. 



disjunctive unwinding are not shown in the tableau since this is an intermediary result 
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Figure 2: Depth-first-search with conflict handling and prime implicant 



3 Technical Preliminaries 

We will show how it is possible, by handling conflicts, to enhance above depth-first search method and 
to drastically shrink the search space. Our solver shown in Section 4 is based on the following intuitions. 
First, the idea is to record which occurrences of elements of the closure at a given state entail another one 
by using unit rule propagation technique from SAT-Solvers. It enables to extract cause of conflict and 
non-chronologically backtrack at the last involved choice and eventually to learn information from the 
conflict, in order to not revisit the same conflict. Furthermore, our solver uses fair prime implicant search 
to also shrink good but redundant search space. These optimizations enable to only explore the tableau 
of Figure 2 to decide unsatisfiability of the running example / — tableau of figure 1 . In the following we 
explain how unwinding from prestate to state is simulated by a boolean SAT-problem. 



3.1 From prestate to state: a propositional SAT problem 

To tackle the particular choice function handling at Definition 5 (one literal per occurring disjunction) we 
need a 'three-values' logic which enables partial instantiation. It is also convenient for prime implicant 
handling. 

Definition 7 ('three- value' logic, closure variables, literals, clause) Let 5 be a set of LTL formulas. We 
call state closure of S -StCl{S)- any formula met in Set of the closure algorithm with the initial condition 
on Set = S instead of Set = {/} and without the last rules {Xg derives g). For any element g in the closure 
we note Xg a fresh boolean variable, that we call closure variable . This means presence of g in the state. 
We will use the word 'literal' for Xg or ^Xg. Finally, we call a clause a disjunction of such hterals (also 
represented by a set of literals). Let S' C Cl{f). We say that S' is conflicting if there exists h and -i/i in S' . 
Let y be a set of closure variables, L the literals of V . Then if g and h are 'three-values' logic formulas 
then Xh' ^V, g Ah, and -ig are 'three-values' formulas. Furthermore assuming S' is non-conflicting : 

- S'^ Xh' iff h' e 5' 

- S'^gAhmS'^gandS'\=h 

- S'^^giifS'i^g 

We say that a three- values formula g is valid iff for any non-conflicting set of 5', 5' 1= g. We say that g is 
fair-valid if for any 5' which is a state from any fair path 5" N g. 

Definition 8 ( Unwinding clauses from a prestate) Let PS a prestate and Presence{PS) = {xh\h G PS}. 
The corresponding Unwound Clause Set UCS{PS) is a set containing the unwound clauses and A?7X(P5) 
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the three values conditions. Set, AUX{PS) and UCS{PS) are the smallest sets following the rules : 

- Presence{PS) C Setr\UCS{PS) 

- If Xif, = JC|^jA..Av/5 £ Set and any Xxf,j is not a conjunction, 
V j the formulas Xxf, eUCS and V j x^. G Set 

- If ■'Ci^ = ■Xv/iv..vv/, ^ "^^^ ^'^'^ ^'^y -^Wj ^ disjunction, 
x,)/ =^ V ... Vxtf/,) G ?7C5 and Vj x^j G ^ef 

- If x,^ =xyU /Wx^,i> , 

^1// =^ (xy" V (x^/AX(v/))) e jyC^ and x^// and x^/ax(v) ^ -^^^^ 

- Xft,x^/j G then -ix/, V -ix^/, G A?7X 

Furthermore, AUX{f) (resp. UCS{f), Presence{f))is the union of A?7X(P5) for any PS in the /- 
tableau (resp UCS{PS), Presence{PS)). The unwound formulas UCS{PS) \Presence{PS) are fair valid 
formulas (see proof section 5) and of the form x^ =^ disjx^ where disjx^ is the classical disjunctive 
unwinding of closure formulas l[T4ll . lfT9l . 

The formula / of Figure 3 provides the clause UCS{f) : 



Xq^c x^^ 

Xp^Gi^i) ^ ^^p\^ ^G{^i) 



^G^c) =^ XxG^c 
X{^i)Wp =^ Xp Vx^;/yx((^,-)H'p) 
■^^iAX((^OWp) ^ 

^Gi^i) =^ XXG{^i) 

Vv G CLSTf -iXy V -ix^v 

Proposition 1 An instance 75 of the boolean SAT problem UCS{PS) UAUX{PS) provides a state S 
from PS and reciprocally. 

Since many instances correspond to a state in the tableau, and since several states may be redundant 
regarding LTL satisfiability problem, we introduce Fair Prime Implicant. 

Definition 9 (Fair Prime Implicant) Let IS as above, a Fair Prime Implicant IS.FPI of IS is a maxi- 
maj^ switching from some assigned x/, at IS to -ix/, such that h is not a promise operand and IS.FPI N 
UCS{PS) UAUX{PS). At a given IS.FPI it corresponds only one state FPI in the /-tableau. 
Tlieorem 4 (Fair prime implicant version of Depth-First-Search ) A formula / in LTL is satisfiable iff 
there exists a fair path solely with FPIs as states.( proof is omitted ). 

For instance, the FPI technique enables in our depth first search to ignore the goal state of the transition 
number 4 at Figure 1 . 

To solve the boolean SAT-problem current solvers use unit rule propagation lU. 
Definition 10 (Unit rule propagation) 

- Each instantiated literal must be propagatecj^over any non yet satisfied clause containing the op- 
posite one. This opposite literal is then temporally erased from the clause. 

- If a clause becomes unit literal / because of unit rule propagation(s), then / is assigned 

This propagation is critical for conflict analysis. In the following we show how to handle unit rule 
propagations to support conflict analyses. 

^Intuitively the switching simulates the removal of closure element in corresponding state 

^a Weakest version and optimized one of current solvers requires only propagation along watched literals 1221 
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Figure 3: Implication graph and conflict analyses 



3.2 Implication Graph to support Conflict analyses 

The Implication Graph is an extension of propositional SAT-solvers' one to LTL-tableau. The intuition 
is to record the occurrences of elements of the closure at a given state that entail another one. An 
Implication Graph is a bicolor graph {Nodes ,Trf,d ,Thiack) where T^ed and Ti,iack are subsets of Nodes'^. 
Figure 3 shows a part of the Implication Graph adapted from the /-tableau of Figure 1 . Intuitively, the 
Implication Graph is a concatenation of several ISs implication graphs denoted IS.IG. The red part T,.ed 
is used for conflict analysis of the depth-first- search stack 5 and it is a DAG, and the black part Thiack 
records some past red edges and corresponds to the conflict analysis of the SCC-search using stack S' 
and allows loop for inductive reasoning . 

Nodes' feature Intuitively, a Node N stands for an assigned literal at a given state. On Figure 3, the 
rounded corners rectangles are Nodes. Each node is inside a big rectangle standing for state. More 
precisely, a Node corresponds to the ongoing prestate, to an ongoing IS while it is found and to a chosen 
extracted IS.FPI in this case. On Figure 3, the three state^are the one which support the transitions 
{2; 3; 4} on Figure 1. Furthermore a Node can be either choosen or required. On Figure 3, a chosen node 
is doubly surrounded. The level of a chosen Node N is its chronological order of choice in the whole 
/-tableau. On figure 3 numbers are levels of chosen nodes. The level of any node N is the maximum]^ 
level of the choosen nodes which involve A'^ i.e which are ancestors of A'^ in Tred- The level of a set of 
nodes is the maximum level its nodes. A required node is either without antecedent but with level 
either gets an antecedent in Ti-ed- 

Transitions' feature If a Node Ni which corresponding literal / comes from a clause C = V jlj V / which 
has become unit, then the red edges {Nr^t.,Ni) are in Tred just after this unit propagation. Let's focus on 
the above state. For instance, (xp,X(;(^,)) and (;Cp^(5(^,),;t;(;(^,)) are red edges because of the unit rule 
from the clause Xp^Q^^^f^ =^ {x-,p Vx^^^^jy Furthermore, the derivation from a state to a next state is also 
recorded using red edges such that the occurrence of xxg G IS.FPI entails the occurrence of Xg at the next 
prestate. For instance on Figure 3, the above FPI derives to the middle one, thus there exists a red edge 
in the graph from X;c/r(,) at above state to jc^ (,) at the next one. 



^for understanding but w.l.g, the below state is not a FPI 
^0 if no ancestor nodes are choosen 
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Furthermore, while a FPI is revisited, then the current IS implication graph IS.IG has to be con- 
nected to the first one IGoid which visited the same FPI. The algorithm creates black transitions from 
any nodes N{-'Xapp,.J (resp. xxh G IS. FPI) at IS.IG to the same literal one of IGgid- This connection 
is called 'bind' function. For instance, for corresponding derivation on Figure 1 for IS.IG at the goal 
state of transitions {3;5;6} the IS.IG and IGoid are the same. For simplicity and w.l.^they have been 
superimposed at Figure 3. In this case, the transitions of 'bind'have been omitted w.l.g, and solely the 
bottom-up edges from source state to the goal state of transitions {3;5;6} are shown {e.g.,xxfQ) at the 
below state to at the same state for transition 3). Finally, given a Tred and a choosen Node N still red, 
flip{NodesJredJblack,N) = {NodesU{r^N{red)},Tred\{{Ni,N2) G Tred\level{N2) > level{N)] Juack) 
is the flipped Implication Graph regarding N with ~ N{red) a fresh node. 



4 Solver 

Our depth-first search temporal conflict driven solver is a combination of depth first search of fair SCC 
in tableau [W] and of boolean SAT-solver. Thus, our solver uses unit rule propagation method, boolean 
conflict handling L22J- It also uses a new temporal conflict driven method inspired by resolution for 
temporal logic llT2l . 

Basic Solveij^Algorithm 1 shows the main method of the algorithm called Solver. At each new prestate, 
the solver populates by clauses by unwinding the prestate according to Definition [8] Otherwise, unit 
rules and boolean conflict detectioij'^are launched. A Backtrack (Algorithm 2) is triggered in case of a 
conflict, otherwise if it is possible, a choice of literal following a heuristic is done. Once an IS is found 
and a FPI extracted, then a SCC-search-forward (Algorithm 3) function is called. Otherwise the Solver 
is recursively called. 



Algorithm 1: Solver 

if not unwound then 
Unwind; 

Unit-rule ; bool-conflict-detection ; 
if conflict then 
Backtrack; 



if IS found then 

SCC-search-forward; 

else 

make a choice of literal; 
Solver ; 



Prepositional Conflict Handling while backtracking A Propositional Conflict Handling is trig- 
gered when a clause is falsified (or equivalently when a literal and its opposite occurs). Similarly to 
SAT-solvers' one, the Propositional Conflict Handling starts from a set of conflicting nodes Nodesc and 
corresponding literals C which falsifies the clause -iC and analyzes which nodes have involved those con- 
flicting literals using {Nodes{red) ,Tred) ■ Let £/(C) be the subDAG of {Nodes{red) ,Tn,d) which stands 
for ancestors of Nodesc- Let £/ (C) {conflict — level) be the subDAG of £/ (C) with nodes of 'conflicting' 
level of Nodesc ie. conflict — level and N{conflict — level) the choosen node of level conflict — level 
. Let Limit{C) = {N{conflict — level)} U {Parentj^^^ [.s^ {C){conflict — level) \ {N{conflict — level)}] H 
Level {conflict — level — (C))) where Level{m, £/ {€)) means the subDAG of £/ (C) with node level 



'^The particular computation of fixpoint remains the same wiiile superimposing in this simple case 
'"The main components of the algorithm are shown in a recursive form for convenience 
' ' a boolean conflict detection occurs while a clause is falsified by current partial assignment 
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at most m. We call limit conflict clause ^Limit{C). The last conflicting choosen node N {conflict — level) 
is then switched if the corresponding flipped partial assignment has not been visited yet (node.flip=l). 
In this first case, similarly to boolean SAT-solvers, the function 'Conflict-require' adds red edges to 
{Nodes{red),Tred) '■ the red transitions with a source node in Limit (C) \ {N{conflict — level)} to the 
goal node ~ N {conflict — choice) . However, differently from boolean SAT-solver, since the algorithm 
records informations in black part {N odes{black) ,T},iack) in the second case (flip=2), the same transitions 
but in color black are added. Furthermore, ~ N {conflict — level) is now required and not choosen. Those 
red or black edges are to ensure we can compute the reason of the requirement of ~ N {conflict — level). 
Finally, if the conflict level is then the algorithm terminates by unsatisfiable. 



Algorithm 2: Backtrack 

Compute Conflict-level; 
if Conflict-level=0 then 

print ('unsat') , break; 
State-Conflict-Clause-learning; 
Tableau.IG.erase(Conflict-level); 



stack-s.erase(C-level); 
stack-s ' .erase(C-level) ; 
Conflict-require; 
SCC-search-backward; 



On Figure 3, the backtrack is done from the conflicting (see. TC-Analysis) nodes .^g(^() ^^d jc^ at 
the middle state. Following the red part, the last involved and chosen node is Xp at above state. While 
backtracking bad states and corresponding nodes are erased ( above state at Figure 3). On the contrary 
to propositional SAT-solver, the algorithm has to record the cause of these states to be bad (to avoid 
revisiting them) using a conflict clause per stat^^These learned clauses must not be forgotten. On figure 
3, the yellow literals are conflicting literals at middle state but the clause -tXQf^^i^ V -'Ji:/r(,) has already been 
learned. At above state, the pink literals provide the learned clause -tXp V ~'Xp^G{^i) V ~'Xf{i)- Finally, a 
SCC-search backward is launched. Algorithm 2 summarizes the above ideas. We refer to ETl for more 
details about backtracking in boolean SAT-solvers. 



Algoritlim 3: SCC-search-forward 

if FPI is new then 

Nb(FPI):=i:=i-Fl; 

Lp(FPI):=Lv(FPI:=Nb(FPI); 

stack-s.push(FPI); 

stack-s '.push(FPI); 

parent=FPI; prestate=FPI.next(); 

Solver; 



case state G stack — S 

Lp(Parent):=min(Lp(Parent),Nb(FPI)); 
case FPI ^ stack -S A 

Nb{parent) > Nb{FPl) 

Lv(Parent) :=min(Lv(parent),Nb(FP/)); 
parent.unr-prom= parent.unr-prom n 
FP/oM.unr-prom; 

bind{IS.IG,IGoid)', 
SCC-search-backward ; 



SCC-Search-Forward The SCC-search-forward shown Algorithm [3] is similar to the 'forward' part 
of the computation of strongly connected components and uses depth first search numbers (Lp,Nb,Lv). If 
the FPI is new, then new numbers are computed and if it is possible, the next prestate (and corresponding 



^We ask that the conflicting clause forbids corresponding red FPI of state 
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prestate Nodes and transitions from derivations) are created from the (red) nodes from literals xxh £ 
IS.FPI, otherwise the problem is satisfiable. Moreover, if the already visited FPIoU is still in Stack — S' 
or in Stack — S, a computation on Tarjan's number^ is also launched. The unrealizable promises are 
also computed. Furthermore, in any revisiting case, a rollback is launched while calling SCC-search- 
backward (see Algorithm 4). 

SCC-Search-Backward First the algorithm adds black copies of red edges in IS.IG. Then, starting 
with the current choosen node A'^ of current level, the Algorithm 4 simply finds the last non-flipped chosen 
node. If it is in IS then, it calls flip{IG,N) and Solver. Otherwise change color red to black at the 'next' 
edges from parent. IG to IG. Then a SCC test over Tarjan numbers is launched from the parent state, 
and if a SCC is found a SCC-handling is called, otherwise, update of unrealizable promise is done. If a 
promise is unrealizable then SCC-handling calls a Temporal Conflict Analysis (TC-Analysis), otherwise 
the problem is satisfiable. 



Algorithm 4: SCC-search-backward 



N=node(level) 

IS .IG.edges.black-copies 

if N.flip=2 AA^G/5theii 

level=level-l ; SCC-Search-Backward 
ifA^.///p = 1 AA^G/5then 

flip(IG,N) 

Solver; 



SCC — handling* :: 

if unrealizable promise = then 

print 'satisfiable'; break; 
else 

TC-Analysis; 



if IS then 

red-to-black-parent.IG-IS.IG-derivation 

FPI=parent; pop stack-s 

parent= head stack-s 

if Lp(FPI)=Nb(FPI)=Lv(FPI) then 

SCC — handling* 
else 

Lp(parent)=min(Lp(parent),Lp(FPI)) 
Lv(pai-ent)=min(Lv(parent),Lv(FPI)) 
parent.unr-prom= parent.unr-prom n 
FP7.unr-prom 
SCC-search-backward 



TC-Analysis of unfair SCC In the SCC, the algorithm 5 chooses an unfair promise and computes 
a backward fixpoint from some nodes N{-^Xap[Promise)) for ^riy SCC states along the recorded black 
implication graph. Precisely, except the root state of the SCC, any state of the SCC gets a corresponding 
black 'IG' from stack — S which is the IS .IG .edges .black — copies one while SCC-backward-search. For 
the root state SCC, only the nodes N{xxh) and N{-'Xgp(^promise)) get some black transitions. 

The fixpoint computation starts from those nodes at IS.IG. edges. black — copies or particular nodes at 
the root. Once the inflationary backward fixpoint using Tbiack is terminated, then at each state in SCC, the 
algorithm picks up a corresponding^ /G. For any state, the 'prestate(s)' Nodes Nodes prestate in the IG 
which are also in the fixpoint are declared conflicting with the unfair promise and the algorithm learns 
and must not forget the conflict clause. Then, the method erases all the states of this SCC. It finally 
triggers a classical Backtracking at the nodes of the Root from the conflicting prestate(s)Nodes of the 

'^Please see for more details about Tarjan's numbers 1251 
'^Since the root has been revisited, it gets at least one black IG 
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Algorithm 5: Temporal Conflict Analysis 

INI: Vector= -^ops{Promise) r\SCC; Estate G SCC pick up a State.IG; 

while 3e € Vector A e not marked do do leam( Vector n state.IG.prestate, promise); 

mark e ; v = e.black — parents ; erase SCC; 

for I ev Al not marked do Vector.push(l) Backtrack; 
end 



root. At Figure 3, the unfair promise is F{i), and the fixpoint computation is shown by double arrow. In 
this SCC, the yellow and green Nodes are involved in the temporal conflict, and the yellow are the causes 
of this conflict, ie., and Xg(^,) are conflicting. Thus, ~'-^g(^!) V (,) is learned forever. 



5 Correctness, Completeness, and Extraction of a small unsatisfiable core 

Lemma 1 Any clause from AUX{f) or UCS{f)\Presence{f) are fair valid. 

proof: Any fair state is non conflicting then AUX is fair valid. By construction, any fair state satisfies 
any clause from UCS{PS) \Presence{PS). 

Lemma 2 Let / be a LTL formula. Assume the Algorithm has computed a conflict analysis from the 
conflicting hterals C. Let ICl{f,C) =AUX{f) U UCS{f)LlLearn{f,C) with Learn{f,C) containing any 
learned clause occurring in the algorithm strictly before C and any limit conflict claus^^ occurring at 
any conflict handling strictly before C. Assume that Learn{f,C) are fair valid clauses. Let Cf be the 
conjunction of conflicting literals used to learn a resulting clause of the conflict analysis Then -iC/ 
is fair valid. 

sketch of the proof: Thanks to lemma[T| ICl{f,C) \Presence{f) are fair valid clauses. Let any state S 
from any fair path p of any tableau of a temporal logic formula. Assume now that S t= Cf. We have two 
cases: 

1. Either the conflict C is boolean. Let £/'{C) = Level{£/(C), conflict — level) and Limit{C) as 
above. Then each node in £/'{C) \ {n{conflict — level)} is required and it originates either from 
state to prestate derivation, either from a clause CI € ICl{f,C) \Presence{f) which has become 
unit at a given state. Since ICl{f,C) \ Presence{f) are assumed fair valid then S' ^ CI for such a 
clause CI and for any state S' in p^rj Then the proof from £^'{C) by unit rule of the conflict C 
of our algorithm implies that there exists a state S'^o^fUct in Ps such that S'^^^^n^^ contains □. This 
implies a contradiction since p is assumed fair and then no state of p should be conflicting. 

2. Either the conflict C is temporal. Assume S' any state of the unfair SCC. For any state of the SCC, 
let Pre{S') be the set of 'black' prestates from a chosen IS.IG. from S'. Let ^ G N. Imagine virtually 
the exploration of any non conflicting prefix path p' of length k in the induced tableau T (Pre) by 
also considering ICl{f,C) \ Presence{f). It consists of the building of a boolean SAT-problem 
based on the following observations: 

- Since any bad old SCC is not reachable by not forgetting any conflict clause of bad state/bad 
SCC, then there exists a k-depth-first navigation over the Prime Implicants from T{Pre) but 



the limit conflict clause is -^Limit{C)\ we consider it even if the limit conflict clause is not learned by the solver 
suffixes of p from S 
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remaining in the unfair SCC and following the Prime implicant depth-first-search of the /- 
tableau. 

- if {siq = Pre,Si^, ....,Sji,) is a Prime Implicant path in T{Pre) from the precedent k-depth- 
first navigation, then from the algorithm, at any transition (5,- ,5,- ^J, it corresponds (several) 
state(s) Implication graphs /G,v for Si., and IGi■^^ for corresponding at any (re)visit of 
the states. 

- There exists a k-depth-first navigation of full T{Pre) following the Prime implicant depth- 
first-search of the /-tableau, such that if {s\^ = Pre,s\^ , is a path of states in T{Pre), 
then a corresponding Prime implicant path [sj^ = Pre,Si^, ....,Si^) is one from k-depth-first 
navigation of the Prime implicant /-tableau. 

- Let Ck){Pre), UCk{f) \Presencek{f) , AUXic{f),Learnk{f,C) be the timestamped variables 
and corresponding clauses. Let Next/^- = {xj{X{f)) =^ xy+i(/)|0 < j < k } be the clauses 
encoding the state to next prestate derivations. Then there exists a DLL-exploration E of the 
propositional problem Clo{Pre) U UCk{f)\Presencek{f) U AUXk{f) U Learnk{f,C) UNextk 
following the k-depth-first navigation of the full T{Pre) but disregarding conflicts which do 
not occur in the DFS of the SCC in the /-tableau. 

- Let E' be the modified exploration of E but by pruning any part of the exploration which 
contradict any timestamped limit conflict clause. 

- Let Epromise be the modified exploration of E' for the boolean SAT problem Clo{Pre), UCk{f) 
\Presenceic{f) , AUXk{f),Learnk{f ,C),Nextk,Xk{Promise) without learning. Furthermore it 
non chronologically backtracks. It also considers only conflicts of the form {xi;{op {Promise)) 
; -'Xk{op{Promise))}. Then clearly Epromise does not find any solution because the promise is 
not fulfilled and particularly at step k, ie. the boolean problem is unsatisfiable. 

It is now feasible to show that : 

(a) The last conflict Ciast of Epromise is at level 0. This means that ancestor literals in £^k{Ciast) 
with no parent gets a level 0, ie. they correspond to clauses Corek of length one in Clo{Pre), 
UCk{f)\Presencek{f) , AUXk{f),Learnk{f ,C),Nextk,Xk{op{Promise)) since there is no 
learning in Epromise- Furthermore Xk{{op{Promise)) G Core^. Finally, Core/^, UCk{f) \ 
Presencek{f) , AUXk{f),Leamu{f ,C),Nextk,xu{op{Promise)) is an unsatisfiable core. 

(b) Let Cfl = Caret \ {{xtiop {Promise))} U learnk{f,C)), then C// C Ck{Pre). Let Cfu be 
the non timestamped literals. Then if 5 ^ Cfk and since 5 is a state of a fair path, then 
if Ps,k is the suffix path from 5 but truncated of length k, ps.k \= Core^ \ xk{op{Promise)), 
UCk{f) \Presencek{f) , AUXic{f) ,Learnk{f ,C) ,Nextk 'f ^Xk{op{Promise)) 

(c) Cfk = {e G Pre\N{eQ = e) ^ Nie^) ... N{ek = --x^p{Promi,e)), with N{ei) N{ei+i) € 

Thlack ^n<i N{^Xop{Pmmise)) S SCC} 

It is then straightforward that if S \= xpromise ^keN Cfk then there is a contradiction since ps will 
never realize the operand promise ^^^{promwe)- Furthermore, AkenCfk is computed as the set of 
Pre contained in the backward fixpoint over Tpiack computing ancestors of any ^Xop(^promise) for all 
states of the SCC. 

Theorem 5 The learned clauses and Limit conflict clause^ are fair valid. 

sketch of the proof: By chronological induction on the learned clause and limit conflict clause per 
conflict. First, assume that conflict C is the first, thus the Learn{f,C) = at lemma |2] Thus -iCf and 

'^in case of propositional conflict 
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-'Limitc is fair valid. Assume now that Learn{f,C) are valid. Thanks to lemma |2j it follows that -iC/ 
and -'Limit (C) are fair valid. 

Theorem 6 The algorithm terminates, is correct and complete 

( sketch of the proof): As long as a state is not known to be bad or in a Bad SCC, then it is recorded^ 
to avoid infinite loop. As soon as it is sure that it is a bad state or in a bad SCC, then a clause which will 
never be forgotten and standing for the bad state is learned. Thus, our algorithm is similar to a depth- 
first-search of SCC in a LTL tableau I J91 However, as soon as there is a conflict, the algorithm prunes 
part of the tableau which is sure to lead to a failing state/SCC by, sound learning and backtracking using 
implication dependencies of conflict. 
Theorem 7 (Extraction of coarse small unsatisfiable core) 
If / = Aifi then A,{/,|xy; € £/ (Ciast)} is a coarse small unsatisfiable core. 

( sketch of the proof): If the algorithm terminates with 'unsat', the last conflict Ciast is at level 0. This 
means that ancestor nodes in £/ (Ciast) with no parent gets a level 0, ie. they correspond to some clause 
in presence{f) : Xf. where / = A,/,- or eventually to some learned clause of the form But since 
ICl{f,Ciast)\Presence{f) are fair valid, then A,{/,|x/. G £/ (Ciast)} is a coarse small unsatisfiable core. 



6 Conclusion 

In order to detect which compliance rules are conflicting, we have provided a conflict-driven Tableau 
depth-first- search for LTL. We have shown how it can be used to extract a small unsatisfiable core. Our 
method is theoretically EXPTIME and EXPSPACE, but although deciding a MU is in P - SPACE noP- 
SPACE method have been proposed to extract cores yet. Our method does not suffer from cumbersome 
timestamped variables, handling of incrementation, searching upper bound for UMC. Implementation is 
ongoing work. Three enhancements of the method would be to study a QBF-encoding of our method and 
analyzes if the learning we propose is easy for QBF solvers to learn. Other ways could be to use symbolic 
DFS Q or alternating Biichi automata. Detecting conflicts in rules is critical for human interactive 
contract management systems. Moreover, our method pinpoints temporal issues in any automatic tool 
which is sensitive to the consistency of many evolving heterogeneous policies such as regulatory laws, 
internal business rules, security or privacy. The extension of our method to deontic modality EKTOl used 
in contracts appears straightforward, and we are also focusing on this issue. 
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